RTF malware analysis — malicious · 6b7646c2c69dff21

MALICIOUS

RTF

1.70 MB Created: 2018-07-31 23:59:00 Authoring application: Riched20 6.3.9600 First seen: 2019-09-30

MD5: 5da6a47a1f0a675c5ad10d44741d24b9 SHA-1: 172451d46d2d41851c6e24e7c0db61c4b7c4f114 SHA-256: 6b7646c2c69dff21609dc02e83095b77d762038cfaf10134c44bd1f83bb6664f

322 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF document contains multiple indicators of malicious activity, including embedded OLE objects and a critical firing for CVE-2017-8759. The presence of excessive hex data within OLE objects suggests the hiding of a payload. The document body contains garbled text but references a URL that is likely part of the attack chain. The exploitation of CVE-2017-8759 directly leads to client execution.

Heuristics 10

Split hex Equation Editor ProgID + OLE object critical CVE likely RTF_EQUATION_EDITOR

RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759

RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
Package object class high RTF_OBJCLASS_PACKAGE

OLE Package object — can wrap arbitrary files
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX

RTF contains ~1669KB of hex-encoded data inside \objdata sections — may hide a payload
OLE object data medium RTF_OBJDATA

RTF contains 3 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAM

RTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://lis.ly.gov.tw In RTF body
- https://lis.ly.gov.tw}{In RTF body
- http://schemas.microsoft.com/office/word/2003/wordmlIn RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off0001448a.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x1448A	829754 bytes
SHA-256: `5ccc6bf7ad23e863d4ee27ffa9bf541f7050ed199e95803833a26a475cc9abfb`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.59, consistent with packed or encrypted content.
`objdata_01_off001a9a06.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x1A9A06	4141 bytes
SHA-256: `74940b3fd785dd58727f8870eb7429195311fa540871aab1cbccfb66ec69adb4`
`objdata_02_off001abf8b.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x1ABF8B	7154 bytes
SHA-256: `aa0334eba9fd2b4c0ea47594cfefc9fc7c5bbcf0483c1ab618bc50a2c6c92045`
Detection ClamAV: No threats found Obfuscation or payload: likely Static shellcode analysis found candidate code region(s). Indicators: NOP sled

Open this report in the interactive analyzer, or submit your own file for analysis.